ico. 


Information Commissioner's Office 


DATA PROTECTION ACT 1998 
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


To: Tempcover Ltd 


Of: Second Floor, 
Admiral House, 
Harlington Way, 
Fleet, 

Hampshire, 
England, GU51 4BB 


1. The Information Commissioner (“the Commissioner”) has decided to 
issue Tempcover Ltd (“Tempcover”) with a monetary penalty under 
section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in 
relation to a serious contravention of Regulation 22 of the Privacy and 
Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 


2: This notice explains the Commissioner's decision. 


Legal framework 


3: Tempcover, whose registered office address is given above (Companies 
House Registration Number: 09923259) is the organisation stated in 
this notice to have transmitted unsolicited communications by means 
of electronic mail to individual subscribers for the purposes of direct 


marketing contrary to regulation 22 of PECR. 


4. Regulation 22 of PECR states: 
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"“(1) This regulation applies to the transmission of unsolicited 
communications by means of electronic mail to individual 
subscribers. 

(2) Except in the circumstances referred to in paragraph (3), a person 
shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 
sender. 

(3) A person may send or instigate the sending of electronic mail for 
the purposes of direct marketing where— 

(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 
recipient; 

(b) the direct marketing is in respect of that person’s similar 
products and services only; and 

(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 
communication. 

(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 
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Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines 
direct marketing as “the communication (by whatever means) of 
advertising or marketing material which is directed to particular 
individuals”. This definition also applies for the purposes of PECR (see 


regulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of 
the DPA18). 


At the material time, consent was defined by reference to the concept 
of consent in Regulation 2016/679 (“the GDPR”): regulation 8(2) of the 
Data Protection, Privacy and Electronic Communications (Amendments 
etc) (EU Exit) Regulations 2019. Article 4(11) of the GDPR sets out the 
following definition: “‘consent’ of the data subject means any freely 
given, specific, informed and unambiguous indication of the data 
subject's wishes by which he or she, by a statement or by a clear 
affirmative action, signifies agreement to the processing of personal 


data relating to him or her”. 


Recital 32 of the GDPR materially states that "When the processing has 
multiple purposes, consent should be given for all of them”. Recital 42 
materially provides that “For consent to be informed, the data subject 
should be aware at least of the identity of the controller”. Recital 43 
materially states that “Consent is presumed not to be freely given if it 
does not allow separate consent to be given to different personal data 


processing operations despite it being appropriate in the individual case”. 


“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 


A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 
a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 
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10. “Electronic mail” is defined in regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 
communications network which can be stored in the network or in the 
recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 


11. The term "soft opt-in" is used to describe the rule set out in in 
Regulation 22(3) of PECR. In essence, an organisation may be able to 
e-mail its existing customers even if they haven't specifically consented 
to electronic mail. The soft opt-in rule can only be relied upon by the 


organisation that collected the contact details. 


12. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to 


PECR, as variously amended) states: 


"(1) The Commissioner may serve a person with a monetary penalty if 
the Commissioner is satisfied that - 
(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC 
Directive) Regulations 2003 by the person, 
(b) subsection (2) or (3) applies. 
(2) This subsection applies if the contravention was deliberate. 
(3) This subsection applies if the person - 
(a) knew or ought to have known that there was a risk that the 
contravention would occur, but 
(b) failed to take reasonable steps to prevent the 


contravention.” 


13. 


14. 
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16. 


17. 


18. 
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The Commissioner has issued statutory guidance under section 55C (1) 


of the DPA about the issuing of monetary penalties that has been 
published on the ICO’s website. 


The Data Protection (Monetary Penalties) (Maximum Penalty and 
Notices) Regulations 2010 prescribe that the amount of any penalty 


determined by the Commissioner must not exceed £500,000. 


PECR were enacted to protect the individual’s fundamental right to 
privacy in the electronic communications sector. PECR were 
subsequently amended and strengthened. The Commissioner will 
interpret PECR in a way which is consistent with the Regulations’ 
overall aim of ensuring high levels of protection for individuals’ privacy 


rights. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the DPA18: see paragraph 58(1) of 
Schedule 20 to the DPA18. 


Background to the case 


Mobile phone users can report the receipt of unsolicited marketing text 
messages to the Mobile UK’s Spam Reporting Service by forwarding the 
message to 7726 (spelling out “SPAM”). Mobile UK is an organisation 
that represents the interests of mobile operators across the UK. The 
Commissioner is provided with access to the data on complaints made 
to the 7726 service and this data is incorporated into a Monthly Threat 


Assessment (“MTA”) used to ascertain organisations in breach of PECR. 


Tempcover operate within the financial sector as a provider of short- 


term motor insurance. 


19. 


20. 
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In May 2020, from analysing the information within the MTA, the 
Commissioner was able to ascertain that between 1 November 2019 
and 18 May 2020 there were a total of 13 complaints received from 
which Tempcover could be identified; of these, 12 were made via the 
7726 service, and 1 was made directly to the Commissioner. The 


content of the complaints contained text to the following effect?: 


“Still Driving Occasionally? Get 10-25 Off Temporary Insurance & Only 
Pay for What You Need: http://mOr.at/ipuT&C: http://mOr.at/ipv 
OptOut txt PKLT to 88802” 


“Plan Your Travel Under New Lockdown Driving Rules & Get A£10-A£25 
off Temporary Insurance: http://mOr.at/ineT&C: http://mOr.at/inf 
OptOut: txt PKLT to 88802” 


“Driving Less? Get the Cover You Need, When You Need It & Save 
A£10-A£25 on Temporary Insurance: http://mOr.at/idPT&C: 
http://mOr.at/idQ OptOut txt PKLT to 88802” 


By following the links within the messages, an individual would be 


directed to Tempcover’s website. 


The Commissioner sent an initial investigation letter to Tempcover on 
26 May 2020, outlining concerns regarding its compliance with PECR, 
and asking a series of questions in relation to its direct marketing text 
message campaigns. The Commissioner specifically sought details 
regarding Tempcover’s practices between 26 May 2019 and 26 May 
2020. 


' This list is non-exhaustive 
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22. Tempcover provided a response on 11 June 2020, confirming that it 
uses the Calling Line Identity (“CLI”): ‘07860021976’ to send its direct 
marketing text messages, although it advised that the message would 
appear to subscribers as being sent specifically from the named entity: 


‘Tempcover’. 


23. It was confirmed that between 26 May 2019 and 26 May 2020 there 
were a total of 1,905,776 direct marketing text messages sent by 
Tempcover?. In advising how many of those messages had been 
received by subscribers, Tempcover advised that its retention policy 
allowed it to access only the relevant data between 26 November 2019 
and 26 May 2020; from this it could determine that 1,148,247 text 


messages were successfully received by subscribers. 


24. Tempcover advised that it obtained the data which it used for its direct 
marketing campaigns directly from individuals who would use its 
website to obtain a quote or to buy temporary insurance. Tempcover 
advised that it provides individuals with a clear link to its privacy policy 


and terms & conditions which state the following: 


“By submitting your information to the Tempcover Site (“Our Site”) you 
are consenting to the processing of your information by us and our 


agents in accordance with this Privacy Policy. 


By obtaining a quote from us, you consent to Tempcover contacting you, 
by email and/or SMS, with details of our new products, services and 


promotions. You can opt out from this at any time by contacting us on 


? Tempcover advised that its “SMS marketing programme” had actually commenced in August 2019. 
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contactus@tempcover.com or following the ‘unsubscribe/opt-out’ link in 


your email or SMS.” 


Tempcover went on to advise the Commissioner that “/b/efore 
proceeding to the data capture part of the quote process, the customer 
must click a button which says 'AGREE AND CONTINUE’ to show their 
acceptance in proceeding to the quote page knowing that we will 
process their data in accordance with our privacy policy and terms of 


business, which they have been provided access to”. 


Tempcover advised that it operates an internal suppression list, which 


is “updated in real-time”. 


Tempcover confirmed that, in relation to PECR training, any new 
starters which join its ‘Marketing and Customer Operations & 
Compliance Departments’ receive a PECR training pack to ensure their 
understanding of the regulations. In specific response to the 
Commissioner’s request for any policies or procedures regarding 


Tempcover’s responsibilities under PECR, it advised: 


“Prior to going live with our first outbound SMS campaign in August 
2019, we conducted a Legitimate Interest Assessment. We walked 
through the Purpose Test, Necessity Test and Balancing, before 
deciding whether we could rely on legitimate interest for the 
processing of customers contact details to send them SMS marketing 
communications. This assessment was conducted by our Head of 
Customer Operations & Compliance, who had previously spent 
considerable time on the ICO website researching how to conduct 
LIA’s. The assessment was then shared with and reviewed by our Data 
Protection Officer (DPO) and the Marketing Department to ensure we 


were all in agreement with the result of the assessment; that we could 
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rely on the grounds of legitimate interest for processing customer 


contact data for SMS communications.” 


It is apparent from Tempcover’s response and from the contents of its 
PECR training materials that at the time which an individual provided 
their details, they were not provided with a separate option to either 
opt-in to or opt-out of direct marketing. Rather, Tempcover used an 
individual’s mandatory agreement to the site’s terms and conditions / 
privacy policy as the basis on which to conduct its direct marketing 
campaign, acting under the belief that it could rely on ‘legitimate 


interest’. 


As it appeared from Tempcover’s response that it would also transmit 
direct marketing emails in addition to text messages, on 10 July 2020 
the Commissioner sent an email with further enquiries to Tempcover, 
specifically seeking details regarding its email marketing campaign, 


and further information regarding its text message campaign. 


Tempcover responded on 23 July 2020 and explained that between 26 
May 2019 and 26 May 2020 it sent a total of 29,156,023 emails, and 


that, of those, 28,822,172 were successfully delivered to a recipient. 


Tempcover also provided a file containing details of the body of the 
direct marketing text messages and the body of the direct marketing 
emails which were sent between 26 May 2019 and 26 May 2020. The 
Commissioner is satisfied that the content of the direct marketing 
messages which were sent by Tempcover constitutes direct marketing 
within the definition of 122(5) DPA18. 


Tempcover also confirmed an increase in the frequency of its marketing 


in response to the Covid-19 pandemic, specifically stating: 
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“We increased the frequency of SMS marketing from once per week to 
twice per week on the 6th April 2020. Due to the Covid:19 crisis, we 
saw a shift in our customer demand weighted from the weekend 
towards the start of the working week, this is why we decided to 
include an additional send on a Monday. This was a reflection of the 
lockdown conditions where leisure travel was minimised, and key 


workers moved away from public to private transport.” 


On 5 August 2020 the Commissioner sent further correspondence to 
Tempcover advising of concerns with Tempcover’s compliance with 
PECR, and asking for confirmation of any steps which Tempcover may 


be taking to ensure future compliance with the legislation. 


Tempcover responded on 12 August 2020 and advised of a range of 
measures which were currently being implemented to ensure future 
compliance with PECR, amongst which would be a separate button 
allowing individuals to select their marketing preferences at the point 


of consent being obtained. 


The Commissioner has made the above findings of fact on the 


balance of probabilities. 
The Commissioner has considered whether those facts constitute 
a contravention of regulation 22 of PECR by Tempcover and, if so, 


whether the conditions of section 55A DPA are satisfied. 


The contravention 


37. 
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The Commissioner finds that Tempcover contravened regulation 22 of 
PECR. 


The Commissioner finds that the contravention was as follows: 


The Commissioner finds that between 26 May 2019 and 26 May 2020 
there were 1,905,776 unsolicited direct marketing text messages sent 
by Tempcover, of which 1,148,247 were confirmed to have been 


received by subscribers. 


The Commissioner also finds that between 26 May 2019 and 26 May 
2020 there were 29,156,023 unsolicited direct marketing emails sent 
by Tempcover, of which 28,822,172 were confirmed to have been 


received by subscribers. 


Accordingly, the Commissioner finds that between 26 May 2019 and 26 
May 2020 there were 29,970,419 unsolicited direct marketing 


messages received by subscribers. 


The Commissioner finds that Tempcover transmitted those direct 


marketing messages, contrary to regulation 22 of PECR. 


Tempcover, as the sender of the direct marketing, is required to ensure 
that it is acting in compliance with the requirements of regulation 22 of 
PECR, and to ensure that either it held valid consent to send those 


messages, or that the soft opt-in applied. 


In this instance Tempcover sent unsolicited direct marketing messages 
to subscribers who had entered their details on Tempcover’s website 
with a view to obtaining a quote for insurance. Tempcover failed to 


provide these subscribers with an opportunity to opt-out of direct 
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marketing when first obtaining their details, and essentially made 
agreement to marketing a condition of service. For this reason, the 


consent to receive unsolicited direct marketing messages cannot be 


said to have been ‘freely given’. 


Furthermore, by agreeing to use Tempcover’s service, individuals were 
automatically opted in to receiving both unsolicited direct marketing 
emails and SMS messages, without the ability to specify which, if any, 
of the types of communication they may be willing to receive. In this 
sense, the subscriber was not given an active choice, and the consent 


relied on cannot be said to be sufficiently ‘specific’. 


For the above reasons, Tempcover cannot therefore be said to have 


held valid consent. 


In terms of whether the soft opt-in could apply, the Commissioner 
would observe that Tempcover appeared to have obtained the contact 
details for its intended recipients in the course of a sale (or negotiation 
for a sale) of a product/service; it did not rely on bought-in lists. 
Further, it appeared that Tempcover used the unsolicited direct 
marketing as a way of marketing only its own similar 
products/services. It is likely therefore that Tempcover would be able 
to satisfy the requirements of Regulation 22(3)(a) and 22(3)(b) PECR. 


However, it is clear that whilst Tempcover met the criteria of 
Regulation 22(3)(a) and 22(3)(b) PECR, it failed to provide individuals 
with a simple means of refusing the use of their contact details for 
direct marketing at the time that the details were initially collected, and 
therefore Tempcover is unable to satisfy the requirements of 
Regulation 22(3)(c) PECR. Accordingly, it cannot rely on the soft opt-in 


as all three criteria are required to have been met. 
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Whilst Tempcover has previously sought to claim a reliance on 
‘Legitimate Interest’ as justification for the transmission of its 
unsolicited direct marketing messages, it is the case that ‘Legitimate 
Interest’ is not a lawful basis upon which a person can rely for the 
purposes of PECR. As explained previously, such messages can only be 


sent with valid consent, or where the soft opt-in applies. 


The Commissioner is satisfied from the evidence he has seen that 
Tempcover did not have the necessary valid consent for the 
29,970,419 direct marketing messages received by subscribers, nor 


could it rely on the soft opt-in exemption. 


The Commissioner has gone on to consider whether the conditions 


under section 55A DPA are met. 
Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 

above was serious. This is because between 26 May 2019 and 26 May 
2020 a confirmed total of 29,970,419 direct marketing messages were 
received by subscribers, having been sent by Tempcover. These 
messages contained direct marketing material for which subscribers 
had not provided valid consent, furthermore, for the reasons explained 
above, the Commissioner is satisfied that Tempcover cannot rely on 


the soft opt-in exemption. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA is met. 


Deliberate or negligent contraventions 
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The Commissioner has considered whether the contravention identified 
above was deliberate. The Commissioner does not consider that 


Tempcover deliberately set out to contravene PECR in this instance. 


The Commissioner has gone on to consider whether the contravention 
identified above was negligent. This consideration comprises two 


elements: 


Firstly, he has considered whether Tempcover knew or ought 
reasonably to have known that there was a risk that these 
contraventions would occur. This is not a high bar, and he is satisfied 
that this condition is met, not least given that the issue of unsolicited 
direct marketing messages have been widely publicised by the media in 


recent years as being a problem. 


The Commissioner has published detailed guidance for those carrying 
out direct marketing explaining their legal obligations under PECR. 

This guidance gives clear advice regarding the requirements of consent 
for direct marketing and explains the circumstances under which 
organisations are able to carry out marketing over the phone, by text, 
by email, by post, or by fax. In particular it states that organisations 
can generally only send, or instigate, electronic marketing messages to 
individuals if that person has specifically consented to receiving them. 
The guidance also provides a full explanation of the soft opt-in 
exemption. In addition, the Commissioner has published detailed 
guidance on consent under the GDPR. In case organisations remain 
unclear on their obligations, the Commissioner operates a telephone 
helpline. ICO communications about previous enforcement action 
where businesses have not complied with PECR are also readily 


available. 
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The Commissioner is further assured that Tempcover knew or ought 
reasonably to have known that there were risks inherent in its direct 
marketing activities given that during the investigation the 
Commissioner was provided with copies of Tempcover’s own training 
materials which made specific reference to PECR, and the need for 


compliance with the legislation. 


It is therefore reasonable to suppose that Tempcover should have been 


aware of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether 
Tempcover failed to take reasonable steps to prevent the 


contraventions. Again, he is satisfied that this condition is met. 


Tempcover failed to ensure that it held valid consent for the direct 
marketing messages which it sent, or that it met the necessary criteria 
to rely on the soft opt-in provisions of Regulation 22 PECR. Reasonable 
steps in this instance would have included providing potential 
customers with a simple ability to opt out of unsolicited direct 


marketing at the point which their details were taken. 


There is no evidence that Tempcover sought to obtain independent 
legal advice, or advice from the Commissioner, prior to engaging in its 
direct marketing campaign, as would be reasonable to do, particularly 


given the gravity of the marketing campaign that it embarked upon. 


In the circumstances, the Commissioner is satisfied that Tempcover 


failed to take reasonable steps to prevent the contraventions. 
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The Commissioner is therefore satisfied that condition (b) from section 
55A (1) DPA is met. 


The Commissioner’s decision to issue a monetary penalt 


The Commissioner has taken into account the following 


aggravating features of this case: 


e The Commissioner finds that Tempcover would have benefitted 


financially from its unlawful actions. 


e Tempcover’s own guidance refers to the steps necessary to comply with 


PECR. That Tempcover is alleged within this Notice to have contravened 
Regulation 22 PECR would suggest that it failed to take steps to adhere 


to its own guidance. 


The Commissioner has taken into account the following mitigating 


feature of this case: 


e Tempcover has made changes to its practices in light of the 
Commissioner’s investigation, and now allows subscribers the ability to 
opt out of unsolicited direct marketing at the point which consent is 


obtained. 


For the reasons explained above, the Commissioner is satisfied that the 
conditions from section 55A (1) DPA have been met in this case. He is 
also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent, in which the 


Commissioner set out his preliminary thinking. In reaching his final 
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view, the Commissioner has taken into account the representations 


made by Tempcover on this matter. 


The Commissioner is accordingly entitled to issue a monetary penalty 
in this case. 


The Commissioner has considered whether, in the circumstances, he 


should exercise his discretion so as to issue a monetary penalty. 


The Commissioner has considered the likely impact of a monetary 
penalty on Tempcover. He has decided on the information that is 
available to him that Tempcover has access to sufficient financial 
resources to pay the proposed monetary penalty without causing 


undue financial hardship. 


The Commissioner's underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 
unsolicited direct marketing messages is a matter of significant public 
concern. A monetary penalty in this case should act as a general 
encouragement towards compliance with the law, or at least as a 
deterrent against non-compliance, on the part of all persons running 
businesses currently engaging in these practices. The issuing of a 
monetary penalty will reinforce the need for businesses to ensure that 
they are only messaging those who specifically consent to receive 


unsolicited direct marketing. 


For these reasons, the Commissioner has decided to issue a monetary 


penalty in this case. 


The amount of the penalty 
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Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £85,000 (eighty-five thousand 
pounds) is reasonable and proportionate given the particular facts of 


the case and the underlying objective in imposing the penalty. 
Conclusion 


The monetary penalty must be paid to the Commissioner's office by 
BACS transfer or cheque by 9 March 2022 at the latest. The monetary 
penalty is not kept by the Commissioner but will be paid into the 
Consolidated Fund which is the Government’s general bank account at 
the Bank of England. 


If the Commissioner receives full payment of the monetary penalty by 
8 March 2022 the Commissioner will reduce the monetary penalty by 
20% to £68,000 (sixty-eight thousand pounds). However, you 

should be aware that the early payment discount is not available if you 


decide to exercise your right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 
against: 


(a) the imposition of the monetary penalty 
and/or; 
(b) the amount of the penalty specified in the monetary penalty 


notice. 


Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 


Information about appeals is set out in Annex 1. 
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80. The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the monetary 
penalty has not been paid; 

e all relevant appeals against the monetary penalty notice and any 
variation of it have either been decided or withdrawn; and 

e the period for appealing against the monetary penalty and any 


variation of it has expired. 


81. In England, Wales and Northern Ireland, the monetary penalty is 
recoverable by Order of the County Court or the High Court. In 
Scotland, the monetary penalty can be enforced in the same manner as 
an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 
Dated the 7t" day of February 2022 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 55B(5) of the Data Protection Act 1998 gives any person 
upon whom a monetary penalty notice has been served a right of 
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) 


against the notice. 
2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of 
discretion by the Commissioner, that he ought to have exercised 


his discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the 


Tribunal at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LEi 8DJ 
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Telephone: 0203 936 8963 
Email: grc@justice.gov.uk 


a) The notice of appeal should be sent so it is received by the 


Tribunal within 28 days of the date of the notice. 

b) If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 
rule. 


The notice of appeal should state:- 


a) your name and address/name and address of your 


representative (if any); 


b) an address where documents may be sent or delivered to 


you; 

c) the name and address of the Information Commissioner; 
d) details of the decision to which the proceedings relate; 
e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the 


monetary penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the 


notice of appeal must include a request for an extension of time 
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and the reason why the notice of appeal was not provided in 


time. 


5: Before deciding whether or not to appeal you may wish to consult 
your solicitor or another adviser. At the hearing of an appeal a party 
may conduct his case himself or may be represented by any person 


whom he may appoint for that purpose. 


6. The statutory provisions concerning appeals to the First-tier 
Tribunal (Information Rights) are contained in section 55B(5) of, and 
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure 
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009 
(Statutory Instrument 2009 No. 1976 (L.20)). 
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